For the first time in almost two decades, the Federal Aviation Administration (FAA) is proposing new cybersecurity regulations for airplane manufacturers. These regulations aim to codify standards that have, until now, been addressed via “special conditions” for specific aircraft, engines, or propellers. According to the source article, these updates were revealed on August 21 and target a fast-evolving cybersecurity threat landscape.
The proposed rules are part of a broader initiative spearheaded by the Biden Administration to enhance critical infrastructure security, as outlined in the FAA Reauthorization Act of 2024. The new rules necessitate that applicants for airworthiness certifications assess and mitigate potential security risks for transport category airplanes, engines, and propellers.
Joseph Saunders, CEO and founder of RunSafe Security, has expressed concerns about the scope of these regulations. He questioned whether these minor updates are enough to fortify defenses in the face of increasingly brazen cyberattacks that could potentially ground entire fleets.
The FAA’s cautious approach may be reflective of its regulatory constraints, particularly following the Supreme Court’s Loper Bright decision, which has imposed limitations on the power of federal agencies to defend certain rules in court. Erik Dullea, a partner at Husch Blackwell, stated, “I don’t know to what extent the FAA’s comment in the proposed rule that this is not a significant change in practice is an attempt to step away from Loper Bright and questions on deference to agency authorities.”
While the new rulemaking aims to streamline current practices and provide a unified approach, stakeholders are concerned about its potential limitations. Some industry experts, like Michael Borgia from Davis Wright Tremaine LLP, see a more focused approach on specific threats as a refreshing divergence from broader, more expansive cybersecurity requirements set by other regulators.
However, clarifying these standards might also magnify existing ambiguities, particularly concerning the long-term collaboration required between manufacturers and operators for systems designed to last decades. This ongoing relationship is deemed necessary to address vulnerabilities discovered post-certification.
In conclusion, while the proposed updates are a step towards harmonizing cybersecurity requirements for the aviation industry, questions remain about their sufficiency to deal with such a dynamic and increasingly complex threat landscape.